snakekeylogger | 1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe
Size

1.1MB
MD5

fd06aeefc7397dd23b37723a015bb4f7
SHA1

7ae26b0c428dc50fa802c16aeb555602b63b255b
SHA256

1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398
SHA512

4cdf4c17c0a646e3586d88784aed09e0e31b2e55dd8c502012f5d7d2af7c20882114ae9b50771ce80e1fa8435414a7097d3c75959923ab4e30121650620afb45
SSDEEP

24576:wAOcZlYFHb9hHgV07huAPNnjLzCXPQ+T5beBP:uBHbfAV0lHCXY+TUBP

Score

10^/10

snakekeylogger collection evasion keylogger persistence spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/4400-148-0x0000000000550000-0x0000000000B6A000-memory.dmp	family_snakekeylogger
behavioral2/memory/4400-151-0x0000000000550000-0x0000000000576000-memory.dmp	family_snakekeylogger

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2572	kxvcvt.exe
4400	RegSvcs.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	kxvcvt.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	kxvcvt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	kxvcvt.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	kxvcvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_84\\kxvcvt.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6_84\\FKWFSI~1.DOC"	kxvcvt.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	kxvcvt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\6_84 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_84\\start.vbs"	kxvcvt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 4400	2572	kxvcvt.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
4400	RegSvcs.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
4400	RegSvcs.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe
2572	kxvcvt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	RegSvcs.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3876	2328	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe	85
PID 2328 wrote to memory of 3876	2328	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe	85
PID 2328 wrote to memory of 3876	2328	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe	85
PID 3876 wrote to memory of 2572	3876	WScript.exe	86
PID 3876 wrote to memory of 2572	3876	WScript.exe	86
PID 3876 wrote to memory of 2572	3876	WScript.exe	86
PID 2572 wrote to memory of 4664	2572	kxvcvt.exe	87
PID 2572 wrote to memory of 4664	2572	kxvcvt.exe	87
PID 2572 wrote to memory of 4664	2572	kxvcvt.exe	87
PID 2572 wrote to memory of 2268	2572	kxvcvt.exe	90
PID 2572 wrote to memory of 2268	2572	kxvcvt.exe	90
PID 2572 wrote to memory of 2268	2572	kxvcvt.exe	90
PID 2572 wrote to memory of 1296	2572	kxvcvt.exe	94
PID 2572 wrote to memory of 1296	2572	kxvcvt.exe	94
PID 2572 wrote to memory of 1296	2572	kxvcvt.exe	94
PID 2572 wrote to memory of 1620	2572	kxvcvt.exe	96
PID 2572 wrote to memory of 1620	2572	kxvcvt.exe	96
PID 2572 wrote to memory of 1620	2572	kxvcvt.exe	96
PID 2572 wrote to memory of 2300	2572	kxvcvt.exe	97
PID 2572 wrote to memory of 2300	2572	kxvcvt.exe	97
PID 2572 wrote to memory of 2300	2572	kxvcvt.exe	97
PID 2572 wrote to memory of 4980	2572	kxvcvt.exe	99
PID 2572 wrote to memory of 4980	2572	kxvcvt.exe	99
PID 2572 wrote to memory of 4980	2572	kxvcvt.exe	99
PID 2572 wrote to memory of 3204	2572	kxvcvt.exe	100
PID 2572 wrote to memory of 3204	2572	kxvcvt.exe	100
PID 2572 wrote to memory of 3204	2572	kxvcvt.exe	100
PID 2572 wrote to memory of 4400	2572	kxvcvt.exe	103
PID 2572 wrote to memory of 4400	2572	kxvcvt.exe	103
PID 2572 wrote to memory of 4400	2572	kxvcvt.exe	103
PID 2572 wrote to memory of 4400	2572	kxvcvt.exe	103
PID 2572 wrote to memory of 4400	2572	kxvcvt.exe	103

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe
"C:\Users\Admin\AppData\Local\Temp\1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_84\ntie.vbe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe
    "C:\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe" fkwfsiwr.docx
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:4664
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:4980
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6_84\DBGIWD~1.WEJ

Filesize
254KB

MD5
8832f3614c9b59deb2956971f62c6d5b

SHA1
0a0e3d69ade88530b4039aaf00a813466b5fed6c

SHA256
e174bbb6a357e15b4608c0dce987ed3e8738f450cf395419d9317d00d2a51cec

SHA512
707e81fd06358ea2b769c245c85174d591cbb9e93a568690d260a8dbfb0f3ef28f93f22dc286d0f1382eb814a495e371accf9781e22d2c2eb075c1a3156027b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_84\fkwfsiwr.docx

Filesize
110.1MB

MD5
008d7f78ef10f6973cd1457857ce237b

SHA1
3fea1659a5749d2ede04ee10b8c45b5d8d038c86

SHA256
b231b1c0f33616c41f4a87feeb71c4e02a86a9545b784159e860d06db0920831

SHA512
b1045db22d00a7ae68364995674b4c7af30cd73e5159fd341fcfe460ae32bd798b84493cd93947c9e826eec406794eb632fe9acc547f4e18dcc9fe75bc5194bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe

Filesize
1.1MB

MD5
0c8370cbb51a8835068114629d94dab1

SHA1
f6fceae38ed84e9f83ec91ad6d879061f884d4a4

SHA256
ccdd89da940950d5637f6fa41b1ec6a1fc65d8f564dd747644d9b768853f415c

SHA512
15961d30b14a53d0b00bb25446cce8414161ca7cb88a0fee7e2bce67274d0cb5abcc4962259ec55355e469bfbd30167f435abfbb16738b29b593f01be4e65a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe

Filesize
1.1MB

MD5
0c8370cbb51a8835068114629d94dab1

SHA1
f6fceae38ed84e9f83ec91ad6d879061f884d4a4

SHA256
ccdd89da940950d5637f6fa41b1ec6a1fc65d8f564dd747644d9b768853f415c

SHA512
15961d30b14a53d0b00bb25446cce8414161ca7cb88a0fee7e2bce67274d0cb5abcc4962259ec55355e469bfbd30167f435abfbb16738b29b593f01be4e65a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_84\womfala.xml

Filesize
67KB

MD5
08701371739f806eb67ba04ddb11de54

SHA1
ff126de452631d7bf71443f75c30222df1a3549d

SHA256
c151259ec9ab64de94e9266ca2cb9f8a5e670bf9d35e8a7becc166527fe4c72a

SHA512
44ce09184875c88c62aee5a17d1ab386a11fb80874a8a21f293b1c455b55876af1319ebb485dca450e9673de4261f3ebd6d5555dd3369b39ebc4fda7f63b2c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\temp\6_84\ntie.vbe

Filesize
67KB

MD5
6863f6c0f22b25009ca51f169073e8dd

SHA1
fb2273661d07063f3a3f262f56c36af85fc0d3d4

SHA256
b35ba4d16bed878dba20daf93186f3b8818d3f0a6b770ae70274bbedc1453ced

SHA512
0c85762acf589b05630036449403cdcd62b6772333c797a5fbfb17cc6e8408ea8853a21971e5ce10b9a1a18a32e259a6fedf108a0b2bb9e041571f13681a55f8

Download Submit
memory/1296-141-0x0000000000000000-mapping.dmp

Download
memory/1620-142-0x0000000000000000-mapping.dmp

Download
memory/2268-140-0x0000000000000000-mapping.dmp

Download
memory/2300-143-0x0000000000000000-mapping.dmp

Download
memory/2572-135-0x0000000000000000-mapping.dmp

Download
memory/3204-145-0x0000000000000000-mapping.dmp

Download
memory/3876-132-0x0000000000000000-mapping.dmp

Download
memory/4400-147-0x0000000000000000-mapping.dmp

Download
memory/4400-148-0x0000000000550000-0x0000000000B6A000-memory.dmp

Filesize
6.1MB

Download
memory/4400-151-0x0000000000550000-0x0000000000576000-memory.dmp

Filesize
152KB

Download
memory/4400-152-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/4400-153-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/4400-154-0x0000000006220000-0x00000000063E2000-memory.dmp

Filesize
1.8MB

Download
memory/4400-155-0x00000000063F0000-0x0000000006482000-memory.dmp

Filesize
584KB

Download
memory/4400-156-0x00000000061B0000-0x00000000061BA000-memory.dmp

Filesize
40KB

Download
memory/4664-139-0x0000000000000000-mapping.dmp

Download
memory/4980-144-0x0000000000000000-mapping.dmp

Download